I suppose the good news is that we seemed to be less troubled by
viruses, so either the virus developers have got bored, or our
anti-virus technology has got better, or maybe we're simply not
aware of them.

The question is whether 2005 has been particularly bad for data
breaches, or is it the case that more organisations own up to
indiscretions?

After all, the consequences of being found out are now a lot more
serious than admitting to a problem.

It seems like almost every month last year, some organisation or
other was admitting to backup tapes being misplaced.

In the UK, the Inland Revenue lost a computer disc, sent by the
bank, which contained address and account details of the banks
investors, and apparently they are still looking for the disc.

In Japan, millions of credit card details were stolen. In fact, the
stories go on and on.

The potential seriousness for your business was quantified by the
department of Trade and Industry, which said that 70 per cent of
organisations that experience serious data loss go out of business
within 18 months.

An organisation should never underestimate the potential damage in
case of exposure or loss of confidential data.

This is the reason why most businesses takes great care to ensure
that the physical media is protected in physical safes.

In some cases these physical security measures are even enforced by
formal regulations.

Securing data while it travels between applications, business
partners, suppliers, customers, and other members of an extended
enterprise is crucial.

As enterprise networks continue to become increasingly accessible,
so do the risks that information will be intercepted or altered in
transmission.

For example, how many chief executives are aware that sensitive
data within the organisation is visible to everyone from database
administrators, developers, and system administrators? How many bank
directors are aware that in many cases financial transaction files are
sitting in clear text on application servers?

And not only are they not aware, they don't always understand
the technical issues involved.

Think about the company which is contracted to carry out research
and development for many business partners - do management understand
how confidential R&D data is shared with business partners?

Or how about the financial company that processes payments for non
face-to-face businesses including internet, mail and telephone - does
management know how payment files are delivered to and from merchants?

Regulation means that companies have never been as vulnerable to
the consequences of data breaches as they are today.

The potential damages resulting from loss of reputation, business,
and legal costs can be crippling to many businesses.

So what should you be doing? There are a number of steps to
consider.

And an excellent guideline to follow is the standard developed by
MasterCard and VISA which is designed to protect cardholder information
and must be implemented by members, merchants and service providers.

So if you fall into any of these categories then this is important.

Build and maintain a secure network. Maybe an obvious comment, but
it is important to understand what this means.

You need to have a firewall configuration to protect data and not
use vendor-supplied defaults for system passwords and other security
parameters.

In order for firewalls to be effective, all communication from
untrusted networks or hosts must be blocked, preventing external sources
from interfacing with internal ones.

Protect data. In order to achieve this goal, it is necessary to
ensure that data is protected when it is stored - and wherever it is
stored, and that the data is encrypted when being transmitted across
public networks. Although most will probably employ some type of VPN technology for transmission, the secure storage is often overlooked.

Maintain a vulnerability management program. This is primarily to
ensure that you use and regularly update anti-virus software and
secondly, that you develop and maintain secure systems and applications.
All applications, as well as the network itself, should be protected by
an anti-virus solution.

Implement strong access control measures. This can present a
challenge since it does not simply define Identity Management measures
but also the need to ensure that data is only accessible on a "need
to know" basis.

Ensuring that users have access only to the level of data that they
need is an important step in preventing data theft, particularly
internal data theft.

Regularly monitor and test networks. This section requires that you
track and monitor all access to network resources and data and regularly
test security systems and processes.

One of the best ways to do this is to have an automated audit trail
to assess who had access to data if a security breach was to occur.

Maintain an information security policy. The responsibility for
this falls squarely on your IT department and management team to create,
define and enforce an information security policy throughout the
organisation.

The policy should address all relevant rules and regulations
defined by regulatory bodies who may have an interest in your
activities, and your users should be fully aware of the obligations as
well as penalties for non-compliance.

In today's increasingly regulated business environment
it's only a matter of time until the phone call comes from someone
inviting themselves for a visit.

And hopefully you have all your information readily at hand.

After all, no one doubts that you're an honest businessman,
but can you prove it?

So make the resolution not to be the data breach story of 2006.

All applications, as well as the network, should be protected by an
anti-virus solution

COPYRIGHT 2006 Birmingham Post & Mail Ltd
No portion of this article can be reproduced without the express written permission from the copyright holder.